Encryption on computing device

ABSTRACT

A first component of a cryptographic key is received from a user via a user interface of a user computing device. A second component of the cryptographic key is received via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device. The cryptographic key is generated based at least on the first component and the second component. The cryptographic key is then used to encrypt and/or decrypt data.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/822,269, entitled “Encryption on Computing Device”, filed Aug. 10,2015 which is a continuation of U.S. patent application Ser. No.14/271,883, entitled “Encryption On Computing Device,” filed May 7,2014, which are hereby incorporated herein by reference in its entirety.

FIELD OF THE DISCLOSURE

This disclosure relates generally to providing data protection for acomputing device and more particularly providing data protection fordata contained on the computing device with using encryption of the datato block unauthorized access to the data.

SUMMARY

One embodiment of the techniques of this disclosure is a method forgenerating cryptographic keys for encrypting and decrypting data, whichcan be executed by one or more processors. The method includes (i)receiving a first component of a cryptographic key from a user via auser interface of a user computing device, (ii) receiving a secondcomponent of the cryptographic key via a short-range communicationinterface that communicatively couples the user computing device to aphysically separate storage device, (iii) generating the cryptographickey based at least on the first component and the second component; and(iv) using the cryptographic key to encrypt and/or decrypt data, by theone or more processors.

Another embodiment of these techniques is a network server including acommunication interface to communicatively couple the network server toa user computing device via a communication network and a processinghardware. The processing hardware is configured to receive a request fora cryptographic key from the user computing device, where the requestincludes a first component of the cryptographic key, the first componenthaving been specified by a user of the user computing device. Theprocessing hardware is further configured to automatically generate asecond component of the cryptographic key in response to the request,and provide the second component of the cryptographic key to the userdevice for storage on a storage device physically separate from the usercomputing device. The user computing device is configured to (i)generate the cryptographic key based at least on the first component andthe second component of the cryptographic key and (ii) encrypt and/ordecrypt user-selected data using the cryptographic key.

Yet another embodiment of these techniques is a method in a usercomputing device for efficiently encrypting and/or decrypting data,which can be executed on or more processors. The method includes (i)receiving an indication that a storage device physically separate fromthe user computing device is now communicatively coupled to the usercomputing device via a short-range communication interface, (ii)receiving, by the one or more processors, a first component of acryptographic key from a user via a user interface, (iii) retrieving,from the storage device, (i) a second component of the cryptographickey, (ii) first control data, and (iii) second control datacorresponding to the first control data encrypted using a correctversion of the cryptographic key, (iv) generating the cryptographic keybased at least on the first component and the second component; and (v)determining whether the generated cryptographic key is correct using thefirst control data and the second control data.

Still another embodiment of these techniques is a network serverincluding a communication interface to communicatively couple thenetwork to a user computing device via a communication network, anon-transitory computer-readable medium storing instructions thatimplement a data protection software module, and processing hardware.The data protection software module, when executed on one or moreprocessors of the user computing device, causes the user device to (i)receive a first component of a cryptographic key from a user via a userinterface of the user computing device, (ii) receive a second componentof the cryptographic key via a short-range communication interface thatcommunicatively couples the user computing device to a physicallyseparate storage device, and (iii) generate a cryptographic key based atleast on the first component and the second component, for use inencrypting and/or decrypting user-selected data. The processing hardwareconfigured to provide an instance of the data protection software moduleto the client device.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a block diagram that schematically illustrates a method forencryption and decryption of data using two keys, where one of the twokeys is stored on a removable peripheral storage device;

FIG. 1B is a block diagram that schematically illustrates a method forverification of a removable peripheral storage device using controlinput and control output stored on the removable peripheral storagedevice;

FIG. 2 is a block diagram of an example computing system in whichencryption, decryption, and key management techniques of this disclosurecan be implemented;

FIG. 3A is a block diagram of an example user device that can operate inthe computing system of FIG. 2;

FIG. 3B is a block diagram of an example software module that can beimplemented in the user device of FIG. 3A to encrypt and decrypt datausing two keys;

FIG. 4A is a block diagram of an example server that can operate in thecomputing system of FIG. 2;

FIG. 4B is a block diagram of an example software system that can beimplemented in the server of FIG. 4A to manage keys and provide otherfunctions related to encryption and decryption techniques of thisdisclosure;

FIG. 5 is a flow diagram of an example method for creating a pair ofkeys and generating authentication information for a removable storagedevice, which can be implemented in the user device of FIG. 3A;

FIG. 6 is a flow diagram of an example method for encrypting data usingone component of a key stored on a removable storage device and anothercomponent of a key submitted by a user, which can be implemented in theuser computing device of FIG. 3A;

FIG. 7 is a flow diagram of an example method for generatingauthentication information for a removable storage device, which can beimplemented in the server of FIG. 4A; and

FIG. 8 is a flow diagram of an example method for authenticating aremovable storage device storing a key.

DETAILED DESCRIPTION

Through use of computing devices with respect to business or socialinteraction, people today are being inundated with business,technological and social related data and information. This data, as aresult, is often stored on one's computing device(s). Since much of thisinformation may be considered sensitive and/or confidential, no onewants the information accessible to unauthorized persons that may comeinto possession of their computing device. One approach to protectingthis information is to encrypt the information on the computing devicewith the use of encryption/decryption techniques such as, AdvancedEncryption Standard (AES) or the like. The encryption/decryptionsoftware will encrypt the sensitive and/or confidential informationstored on the computing device and, in turn, permit access to theinformation by the authorized user using the software to decrypt theinformation when access to the information is needed.

Data files that will often be encrypted will include, for example,audio, video and text files and the like and will be often stored in anencrypted state on the computing device. As mentioned above, thesoftware employed to encrypt and decrypt these files will include AES,another commonly known encryption/decryption algorithms which utilize akey, or a customized software designed to operate on the devicesdiscussed below. The key is typically a parameter associated with theencryption/decryption software that when employed in association withthe encryption/decryption software will transform the data into anencrypted state, one that is not understandable to a viewer. It willalso transform that encrypted data back to its original unencryptedstate so as to be easily understood by the viewer. In the unfortunateinstance of an unauthorized person coming into possession of another'scomputing device, the unauthorized person is only separated from usingthe encryption and decryption software successfully to transform thestored data into an understandable state by not having the correct key.The key is typically created or set by the authorized user of thecomputing device in the form of a password.

These passwords can be compromised in any number of ways which includeobtaining the password from the authorized user who has not properlysecured the identity of the password. Once in possession of the passwordor key, in this example, the unauthorized user will have complete accessto correctly use the encryption/decryption software stored on thecomputing device and thereby be able to successfully decrypt encryptedfiles and access the data of those decrypted files. An object to thisdisclosure is to provide additional layers of security or depth ofsecurity as to preventing an unauthorized user from acquiring theidentity of a key. By further securing the identity of the key theunauthorized user will not be able to access the encrypted confidentialand/or sensitive data stored on the computing device.

In this disclosure, the key for correctly running theencryption/decryption software must first be fully assembled fromcomponent parts which originate from separate sources. One componentpart of the key will be stored on a peripheral storage device. This onecomponent, as will be discussed in more detail below, will have beenpreviously randomly generated by an online security service anddownloaded onto the user's peripheral storage device via the user'scomputing device at a time in which the user registers with the onlinesecurity service. The peripheral storage device can be used within ashort range of the computing device. With the computing deviceinterfacing with the peripheral storage device, the computing devicewill automatically read the one component portion of the key stored onthe peripheral device. In using the peripheral storage device after theinitial registering with an online security service, the one componentof the key is transferred to the computing device from the storagedevice without user interaction. Additionally, this peripheral storagedevice, at the time of user registration with the online securityservice, will also download additional data from the online securityservice in order to authenticate itself, which will be discussed in moredetail below.

In this disclosure, another component part of the key will be needed toadd to the one component of the key that has already been contributed bythe peripheral storage device in order to assemble a complete andoperable key. A complete key is needed: otherwise theencryption/decryption software stored on the computing device will notproperly encrypt and decrypt data. The other component of the key willbe one generated or created by the user also at the time the userregisters their computing device with the online security service. Forpurposes of successfully operating the encryption/decryption software onthe computing device, the user will have to input this other componentof the key, typically a password, into the computing device through aninput device, such as a keyboard or other commonly known input device.

With the user having the peripheral storage device interface with thecomputing device contributing one component of the key and the user inputting the password, the other component of the key, the key is fullyassembled. As mentioned above, the user's computing device will run anauthentication or verification routine that will determine if thestorage device is the proper one with a correct one component of the keyand will also further verify whether the user has input the correctpassword or other component of the key thereby verifying the correctcompletion of the assembly of the key. If the key is verified, the userwill be able to use the key successfully with the encryption/decryptionsoftware on the computing device to encrypt and decrypt data files onthe computing device for that session.

Depending on the embodiment, a session during which an assembled key isvalid can stay active while the user is logged in, while the peripheralstorage device is connected to the computing device, while the computingdevice is powered on, while a timer is running, or subject to any othersuitable condition(s). The session accordingly can end when the userslogs out, shuts down the computing device, removes the peripheralstorage device, etc.

During an active session, the encryption/decryption software of thisdisclosure can access the assembled key in a volatile (non-persistent)memory such as RAM. The encryption/decryption software does not storethe assembled key in a persistent memory. In general, the assembled keyis not stored anywhere in a persistent memory except in a databasemaintained by the online security service, as discussed in more detailbelow. When the session is no longer active, the assembled key is purgedfrom the non-persistent memory, so that the encryption/decryptionsoftware can no longer encrypt or decrypt data. To start a new session,the user will once again need to provide login/password informationdefining one of the component parts of the key.

If the user fails to successfully establish a session for failure tosupply the proper password (corresponding to one of the component partsof the key), insert the correct peripheral device, etc., theencryption/decryption software cannot properly encrypt data or decryptpreviously encrypted files. In one embodiment, the encryption/decryptionsoftware does not prevent the user from operating the computing devicewhen a session fails. However, the user in this case cannot decryptpreviously encrypted files or encrypt new data. The user still can, forexample, use the other functionality of the computing device. Further,if the user chooses to create new files, he or she cannot protect thesefiles using the encryption techniques of this disclosure.

An embodiment of assembling the component parts of the decryption andencryption key from separate sources would include using a UniversalSerial Bus (USB) flash drive as the peripheral storage device that willstore the one component or portion of the key. The USB flash drive willbe inserted into the USB port of the computing device and willautomatically interface with the computing device uploading the onecomponent of the key to the computing device. The other component orportion of the key that will be needed to complete a functional key willbe a password created by the authorized user also during theregistration process with the security online security service. The userwill be prompted to enter this other component of the key onto thecomputing device and the user will enter it through an input device ofthe computing device such as a keyboard. The software downloaded ontothe user's computing device by the online security service at the timeof registration will run a verification process of the assembled key nowthat one component and the other component have been entered onto thecomputing device. The verification will generally include utilizing atest file and applying the complete key with the encryption/decryptionsoftware to decrypt the test file that was previously encrypted anddownloaded onto the peripheral device during registration. Thatencrypted test file was encrypted with the correct complete key and theencryption/decryption software or using the same encryption/decryptiontechnique. The unencrypted version of this test file was also downloadedon the peripheral storage device at the time of registration. Theencrypted test file is now subjected to the complete key assembled fromone component stored on the peripheral device and the other componentinput by the user along with the encryption/decryption software that hadbeen downloaded by the online security service onto the computing deviceduring registration. The encrypted file is thusly transformed andcompared to see if it matches the unencrypted test file. If there is amatch, the peripheral storage device is the correct one carrying onecomponent of the key and the password input by the user was correctcompleting the assembling of the complete key. This authenticationprocess will be discussed in more detail below. Should the test resultbe a successful match the user is informed the proper key has beenassembled and the user can now proceed to utilize theencryption/decryption software with the completed key to successfullyencrypt and decrypt data on their computing device.

Thus, to gain access to the encrypted information on the computingdevice the user must be in possession of the computing device, thecorrect peripheral storage device containing one component of the keyand the other component or password portion of the key which had beencreated by the authorized user. Thus, additional security is providedherein with the user having to not only be in possession of thecomputing device but also, in this embodiment, the proper USB flashdrive device carrying the one component of the key and of the passwordwhich comprises the other component of the key in order to fullyassemble a complete key and be able to successfully operate theencryption/decryption software on that computing device. The user isthen capable of successfully carrying out decryption and encryptionfunctions with the encryption/decryption software which had been storedon the computing device during the user's registration process with theonline security service.

As will be discussed in more detail herein, a user that wishes toprotect the data stored on their computing device will register with anonline security service. At that time the user will be asked to providethe online security service information identifying the user, creditcard information and the identity of the computing device. During thisregistration process the online security service will install on theuser's computing device the encryption/decryption software forencrypting and decrypting information to be stored on the computingdevice. As mentioned above, this encryption/decryption software for thisembodiment will be AES; however, any other higher level known standardencryption/decryption algorithm may be used. During the installation ofthis software onto the computing device, the user will be asked toinsert a peripheral storage device, or in this embodiment a USB flashdrive, into the USB port of the computing device. The online securityservice will install onto the USB flash drive one component of the keyfor the encryption/decryption software which the online security servicerandomly generated. The online security service will also provide theuser's computing device with a software module for authenticating theUSB drive. Additionally, the user will be asked to create a password, inthis embodiment, which will be the other component to assembling acomplete key. The password created by the user will allow the onlinesecurity service to use this password along with the one component ofthe key it had randomly generated to complete the key. These twocomponents of the key will need to be assembled through actions of theuser on occasions when the user needs to successfully encrypt anddecrypt data on their computing device. In this embodiment, in thesubscription and registering process with the key being completed andthe encryption/decryption software installed, the user will be askedwhether all of the stored data files shall be encrypted or whether datafiles will be encrypted as selected by the user. This registrationprocess will be discussed in more detail herein.

Once the user has registered with the online security service byregistering themselves, the computing device, downloading the encryptionsoftware, uploading their peripheral storage device with one componentof the key and authentication software and has created a password thatcomprises the other component for completing the key, the user has takenthe steps they need to protect confidential and/or sensitive data filesstored on their computing device. An unauthorized user being inpossession of the computing device but not having access to the externalperipheral storage device, such as the USB flash drive which carries inthis embodiment one component of the key or access to the authorizeduser's password, the other component to the key, or both, theunauthorized user will not be able to successfully access or view theconfidential and/or sensitive stored encrypted data on the computingdevice.

Encryption and decryption appears seamless to the user of the computingdevice. In particular, the user at some point selects a certain set offiles, such as for example the entire hard drive, one or severalfolders, all text files, etc. The user subsequently accesses these filesduring active sessions (see above) without being notified or promptedabout every encryption or decryption operation. For example, when theuser opens or saves of these files saves one of these files, theencryption/decryption software automatically performs the encryption ordecryption operation in a seamless manner, without distracting the user.To this end, as illustrated in FIG. 3A, the encryption/decryptionsoftware can operate in a kernel model, for example, to reside as asoftware layer between applications (e.g., text editors, graphicseditors, browsers) and operating system calls for accessing hardwarecomponents such as the hard disk.

In another embodiment, with the authorized user having assembled the keywith inserting the USB flash drive and entering the password, the usercan select a particular file and decrypt it. The file can be closed outand the data will remain stored as an encrypted file. New data may beentered into a decrypted file or a new file can be created and withsaving either, the file with the new data is encrypted. Thus, using thesaving function will encrypt the file.

At the time of registration the online security service will securelystore the registration data including the identity of the user and ofthe computing device, along with the randomly generated one component ofthe key for that user and the user's other component of the key orpassword. As a result, the user will be able to subsequently contact theonline security service for a number of services related to maintainingthe security of their computing device. These services could includeassistance in retrieving a password that was forgotten or changing it.The user may have broken, destroyed or lost their peripheral storagedevice. Under those circumstances, the online security service will alsoassist the user in replacing the one component of the key or providing anew one component of the key with respect to that which was stored onthe peripheral storage device at the time of original subscription andregistration. These services will be provided by the online securityservice with the normal security measures taken to assure the requesteris the authorized user of the registered computing device. Thesemeasures can include requiring the user to respond to a question toprovide very private personal information to the online security serviceat the time of registration and ask the current requester the samequestion and match the answer to the original answer provided at thetime of registration and if there is a match the online security servicewill provide the requested services.

In referring to FIG. 1A, a block diagram is shown that schematicallyillustrates an embodiment of the method of the present disclosure toencrypt and decrypt data stored on a computing device. In order to carryout this method, encryption and decryption software will have beendownloaded on the computing device and will be executable by one or moreprocessors on the computing device. The software will operate inconjunction with a complete key associated with that software, on datastored or being stored on the computing device. The step of encryptionand decryption of data stored on a computing device is represented bybox 100. In this embodiment, the encryption and decryption step 100 willonly be able to be successfully carried out to encrypt and decrypt dataon the computing device, as mentioned above, with a complete keyassembled and working in conjunction with the encryption and decryptionsoftware.

One component 102, which is stored on peripheral storage device 104,automatically downloads onto the peripheral storage device 104interfacing with the computing device. In this embodiment, device 104 isa USB flash drive and it interfaces with computing device by insertingthe USB flash drive into the USB port of the computing device. This onecomponent 102 of the key was previously randomly generated and uploadedto the USB flash drive by an online security service during thesubscription and registration process with the user. The other componentof the key 106 will be input into the computing device by way of userinput 108. In this embodiment, the other component 106 of the key willbe a password that was created by the user during the registrationprocess between the user and the online security service and is inputinto the computing device with a keyboard connected to the computingdevice; however, other inputs can be employed.

The components 102 and 106 can equally contribute to the overallstrength of the key or provide different contributions to the overallstrength of the key, depending on the embodiment. Thus, in oneembodiment, each of the components 102 and 106 occupies the same numberof bytes. In another embodiment, component 106 is relatively short(e.g., six characters occupying six bytes) while component 106 isrelatively long (e.g., 26 characters occupying 26 bytes).

With the two components of the key 102 and 106 present on the computingdevice, the complete key has been assembled and is an operable parameterthat works in conjunction with the encryption and decryption software.The software can now be executed successfully on the data on thecomputing device to carry out the step of encryption/decryption 100 ofthe data the user has selected.

As will later be described in more detail, when the user initiallysubscribes and registers their computing device with the online securityservice, the complete key will be assembled at that time and theencryption/decryption software having been uploaded onto the computingdevice, the user will, in this embodiment, be asked to elect to proceedwith the encryption of all files stored on the computing device or toelect to proceed to encrypt those files selected by the user that arestored files on the computing device. In either case, the user will bepermitting the encryption/decryption software to operate on stored datain the step of encryption and decryption 100 resulting in the step ofcreating encrypted data 110.

Subsequent to the initial registration process the user will be able tocreate encrypted data 110 on their computing device in the presence of afully assembled key and the encryption/decryption software that isexecutable by a processor on the computing device, by selecting file(s)that are not encrypted and saving the file(s). This will result in theoperation of the software of the encryption/decryption step 100 therebyencrypting that data creating encrypted data 110. Also, the user cansave edited versions of unencrypted data they are working on theircomputing device or save new stand alone data they have created orplaced on their computing device, thereby operating the software of theencryption/decryption step 100 which will also result in encrypted data110.

On the other hand, in the presence of the fully assembled or completekey on the computing device and the encryption and decryption softwareexecutable on the computing device, the user can decrypt previouslyencrypted information or data files stored on the computing device. Theuser can select a previously encrypted stored data file on the computingdevice to view, for example, and the step of encryption/decryption 100will operate on the encrypted data and accordingly transform the data,thereby creating decrypted data 112. In some embodiments, the decryptionis seamless, and the user does not notice the file is being decrypted.For example, the user can simply select the file for reading, and thestep of encryption/decryption 100 executes automatically.

In referring to FIG. 1B, a block diagram is shown that schematicallyillustrates a method for verification of the removable peripheralstorage device 104. This verification process includes a control input114, control output 116 and one component 102 being stored on theremovable storage device 104 during the registration process with theonline security service. In this embodiment, authenticating peripheralstorage device 104 is a step taken before any decryption or encryptionof data takes place on the computing device. In this embodiment, at atime the user wants to decrypt a particular data file stored on theircomputing device or wants to encrypt data, the user will need, toconnect the peripheral storage device 104 to interface with thecomputing device. As mentioned earlier, in this example, this will beaccomplished by inserting USB flash drive into USB port of the computingdevice. In one embodiment, this will automatically trigger execution ofa peripheral device authentication software on the computing device,which will retrieve one component 102 of the key from peripheral storagedevice 104 (that was earlier randomly generated by the online securityservice at the time the user registered and subscribed to the securityservice).

In this embodiment, the control input file 114 and the control outputfile 116 that were downloaded onto the peripheral storage device 104 aretext files but can be any data that can be encrypted and decrypted withencryption/decryption software such as AES or other encryption anddecryption algorithms. During the registration process as will bediscussed in more detail below, a complete key was assembled thatoperates as a parameter in conjunction with the encryption/decryptionsoftware the online security service also downloaded onto the computingdevice during the registration process. Control input file 114 is a textfile, in this example, that was encrypted with the complete key and theencryption/decryption software before it was downloaded onto the memoryof the peripheral storage device 104 in the registration process. Thecontrol output file 116 is the unencrypted version of the control inputfile 114 which was stored in the memory of the peripheral storage device104 as well.

With the USB flash drive 104 inserted into the USB port of the computingdevice, the one component 102 of the key is automatically uploaded ontothe computing device. The user will be prompted by the computing deviceby way of the encryption/decryption software on the computing device toenter the other component 106 of the key by way of user interface 108,or in this example, the computing device keyboard. With both componentsof key 104 and 106 present, control input file 114 is forwarded from thememory of the peripheral storage device 104 to the computing device andsubjected to the encryption/decryption software and the step ofencryption/decryption 100 is executed on control input file 114, therebyencrypting control input file 114. The result of this decryption ofcontrol input file 114 is forwarded to a comparator 118 of theverification software downloaded by the online security service duringthe registration process. The decrypted control input file 114 iscompared to the control output file 116 which has also been forwardedfrom the memory of the peripheral storage device 104 and if thecomparison of decrypted control input file 114 equates or is the same ascontrol output file 116, the verification of the peripheral storagedevice 104 has been accomplished. At this point the user can proceed toencrypt and decrypt data on the computing device. If the comparison ofthe decrypted control input file 114 and control output file 116 resultsin them not equating or being the same, the user will not be able toexercise successful encryption and decryption operations on thecomputing device. In either case, the peripheral device authenticationsoftware can provide an appropriate notification via the user interfaceof the computing device.

In another embodiment, comparator 118 can compare two encrypted versionsof a same file. In other words, control input file 114 can beunencrypted, and control output file 116 encrypted, versions of a samefile. Encryption/decryption step 100 in this case performs to encryptionrather than decryption.

In referring to FIG. 2, it is a block diagram of an example computingsystem in which encryption, decryption, and key management techniques ofthis disclosure can be implemented. In the embodiment shown in FIG. 2, asecurity providing service system 120 operates through data protectionserver 122 providing the user of a computing device 126 a service asdescribed herein for protecting the data stored on the user's computingdevice 126 from access by an unauthorized user in possession of thecomputing device 126.

It will be understood by those skilled in the art that data protectionserver 122 could include a single server that performs all of thefunctions described below or could be divided into any number of serversas desired. This server 122 is connected to the network 124 which couldbe a variety of network types such as the Internet, a LAN, a WAN,cellular, WiFi, etc. The user that wishes to subscribe to the securityservice for securing data stored on their computing device that isprovided by data protection server 122, will access the data protectionserver 122 through network 124 with their personal computing device 126also being connected to network 124. Personal computing device 126 couldcomprise a wide variety of devices, such as a desk top computer, lap topcomputer, notebook, tablet computer, smart phone, etc. The securityservice system 120 of the present embodiment will accommodate and beoperable with the operating system of computing device 126, which can beWindows®, Mac OS®, Android®, etc.

Server 122 will support a web service that will exchange data withcommon formats such as XML, JSON and the like. As will be appreciated bythose skilled in the art, this embodiment will utilize one of C and C++language for driver programming. Also, in this embodiment, C# will becombined with C/C++ for use with Windows Platform for example on thepersonal computing device 126. The web service supported by dataprotection server 122 can be accessed from computing devices via a website that includes instructions in HTML or another suitable language.The website supported by data protection server 122 will work on commonbrowsers such as Internet Explorer®, Firefox®, Chrome®, Opera®, Safari®and others.

The user seeking a security service will connect to the website throughuse of their browser. The website will provide the user an array ofsecurity packages to select from, as for example: one user with onecomputing device to secure; one user with multiple computing devices tosecure; or family subscription with multiple devices to secure. The userwill select the appropriate plan that will suit for them and proceedwith the registration process for that plan.

Data protection server 122 will store and implement software for thesecurity service. This software can be in one or more modules,downloadable onto the personal computing device 126 or another suitablecomputing device. Some of the modules can be configured to execute onpersonal computers and other user devices as client components of theauthentication system. In this embodiment, there are two modules,password management system 128 and data protection module 130 that willbe used to implement some of functionality the security service on usercomputing devices. Once the user has selected the desired plan orpackage they wish to subscribe to, password management system module 128will be used to provide the user web pages to be populated by the userin order to collect information in registering the new user and theircomputing device to the security service. The information requested willinclude, in this embodiment, their name, address, e-mail address andbanking information such as a credit card information. The user will beasked to execute a payment for the package or plan they had selected.With the payment transaction successfully completed, the passwordmanagement system 128 will provide the new user queries for creating auser name and password for logging into the security service web site.

With the user name and password completed, password management systemmodule 128, in this embodiment, will assign a user identification (UID)number with the data collected above from the new user. Module 128 willtransmit the UID and the data collected above as customer subscriptiondata 134 to database 132, which comprises one or more computing deviceswith non-transitory memory readable by one or more processors. Thedatabase 132 can be, for example, a relational database in whichcustomer subscription data 134 is accessible using SQL queries.

The new user will then be asked by the web page provided by module 128to identify the computing device(s) 126 to be protected by the securityservice. In some embodiments, this information in this embodiment willinclude the make, model and serial number of the computing device(s)126. This data will likewise be stored in database 132 under the UIDnumber as customer subscription data 134. A customer account has nowbeen created. Module 28 will also manage and interface with thesubscriber/new user to provide the new user services related toimplementing the security service to the user's computing device(s) 126and to provide services related to supporting and maintaining thesecurity service for the user.

With the user now registered, the password management system module 128will randomly generate one component 102 of a key that will be used toassist in assembling a complete key used in conjunction to successfullyoperate encryption/decryption software with this service. Throughpassword module 128 the website will inform the userencryption/decryption software will be downloaded onto computing device126 and will cause an instance of data protection module 130 to bedownloaded onto computing device 126. With the downloading of theencryption/decryption software commenced, the password module 128informs user through a web page to connect peripheral storage device 104to computing device 126,as mentioned previously in this embodiment, toplug in USB flash drive into the USB port of the computing device 126.The password module 128 sends one component key 102 that was randomlygenerated by password module 128 to computing device 126 wherein the onecomponent 102 is stored on peripheral storage device 104 and at the sametime, in this embodiment, password module 128 transmits this onecomponent 102 of the key to data base 132 to be stored as part ofencryption key information 135 associated with the UID number of thisparticular user.

During the downloading process of the encryption/decryption softwareonto computing device 126, password module 128 will request by way of aweb page sent to the new subscriber to create a password. This passwordwill operate as the other component 106 of the key. This password willbe transmitted from computing device 126 to data protection server 122wherein password module 128 will transmit this password or othercomponent 106 of the key to database 132 to be stored as encryption keyinformation 135 in association with this user's UID. At this point,password module 128 will assemble a complete key from one component 102and other component 106. This complete key which is now associated withthis particular user is used by password module 128 in conjunction withthe encryption/decryption software of data protection module 130 toencrypt a file that was randomly generated by password module 128. Asmentioned above, this file could take many forms of information that canbe encrypted and decrypted by the software. In this embodiment it is atext file. The encrypted text file is downloaded to peripheral storagedevice 104 through computing device 126. This encrypted file is controlinput file 114. The unencrypted version of this file is transmitted toperipheral storage device 114 from password module 128 through computingdevice 126 as control output file 116.

During the registration process, with encryption/decryption softwaredownloaded as data protection module 130 and completely assembled keypresent from one component 102 from peripheral storage device 104 andthe other component or password 106 present on computing device 126, theuser will provided a query as to whether they want all stored files oncomputing device 126 or select files stored on computing device 126encrypted. The user will make a selection and the process will commenceto encrypt stored files resulting in encrypted files 136. The user canchoose to log off and will have now armed their computing device 126 tobe able to more securely protect stored files on computing device 126.At that point, user can then separate their peripheral storage device114 from computing device 126 and secure device 114. The next time userwishes to use computing device 126 to access stored encrypted data or toreceive or create data that it wishes to encrypt, user plugs USB flashdrive or peripheral storage device 114 into connection with computingdevice 126 such as USB port and goes through the peripheral storagedevice 114 verification process as described earlier. With storagedevice 114 authenticated, the user can commence decrypting andencrypting files on computing device 126.

Password management module 128 will also allow a user who will accessthe web site supported by data protection server 122 to request aretrieval of their password 106 from encryption key information 135stored in database 132. This may occur with the password 106 of the userhaving been lost, forgotten or compromised. Additionally, passwordmanagement module 128 will also permit a user to change their password106 for similar reasons. Each of these steps of retrieval and changingof passwords will be accompanied by security steps to assure the user tobe associated with the particular customer account prior to goingthrough either of these processes as discussed above.

Password management module 128 will operate to authenticate therequester. As mentioned earlier, at the time of registration the userwill have been asked at least one question so as to provide certain veryprivate information related to the user. This information will be storedby module 128 into data base 132 as customer subscription data 134 inassociation with the UID. At the time the request is made by the user,the user will be provided the same question asked at the time ofregistration and the user will provide an answer that will be comparedby password management module 128 to the answer provided by user at thetime of registration that is stored in customer subscription data 134.If there is a match, password management module 128 will proceed toretrieve or allow the user to change the password. A changed passwordwill be forwarded by module 128 to database 132 and stored in encryptionkey information 135 in association with the UID of the user inreplacement of the former password.

Password management system module 128, as mentioned above, will, at thetime of registration, randomly generate one component 102 for the keyfor the user. This one component 102 is transmitted from module 128 bydata protection server 122 to peripheral storage device 104 throughcomputing device 126 and stored on peripheral storage device 104. Onecomponent 102 is also transmitted from module 128 to data base 132 asencryption key information 135 in association with the user UID at thetime of registration. Thus, for example, if a user loses or breaks theirperipheral storage device 104, the user will contact the web pagesupported by data protection server 122 and module 128 and requesteither a retrieval or new one component 102. With the matching of veryprivate information as described above with respect to password 106,password module 128 will proceed to retrieve or generate a new, asrequested, one component 102. The user will be instructed through a webpage to connect their peripheral storage device 104 so that module 128can transmit one component 102 data through computing device 126 andstore it onto peripheral storage device 104. Depending on thecircumstances, authentication software from password module 128 alongwith input control file 114 and output control file 116 can also bedownloaded from module 128 through computing device 126 and stored ontoperipheral storage device 104. Thus, the online security service canprovide services to the user to enable the user to continue to securetheir data on their computing device 126.

It is noted that peripheral storage device 104 can be a dedicatedstorage device (such as a USB flash drive discussed above) or any otherdevice having storage capability that can be communicatively coupled topersonal computing device 126. For example, a user can store files 102,114, and 116 on a smartphone with which personal computing device 126can set up a USB connection or a wireless connection as a WirelessPersonal Area Network (WPAN), for example. As another example, awearable computer (e.g., a “smart watch”) can store the files 102, 114,and 116 and wirelessly connect to personal computing device 126.

Now referring to FIG. 3A, it is a block diagram of an example usercomputing device 126 that can operate in the computing system of FIG. 2.Personal computing device 126 as mentioned earlier can comprise a desktop computer, lap top computer or notebook or the like. Computing device126 has a user interface 136 such as a graphical user interface (GUI)which in this embodiment would comprise a screen, a keyboard, a mouse,speakers, etc. A network interface 138 is also provided to permitcomputing device 126 to interconnect with network 124 in a wired orwireless manner. Computing device 126 further includes a peripheraldevice interface 140 that will permit other devices such as a USB flashdrive or keyboard to be connected to computing device 126 andcommunicate therewith. One or more processors 142 are provided toexecute the software stored on non-persistent memory of the computingdevice 126 such as on Random-Access Memory or RAM 144 which stores suchsoftware programs as device driver software 146, web browser 148, dataprotection module 130 which in this example carries theencryption/decryption module and operating system software 152 which mayinclude systems such as DOS, OS/2, Windows, Linux, Mac etc. Computingdevice 126 further includes persistent memory 154, such as a hard disk,flash drive, etc., which will store files and in this embodiment willstore encrypted files 164 that have been encrypted byencryption/decryption software within data protection module 130, asshown in FIG. 3B and will also store unencrypted files of user.

As schematically illustrated in FIG. 3A, data protection module 130 canoperate similar to a device driver 146 in a kernel mode unlike webbrowser 148, for example, which runs in user mode. In this manner, theencryption and decryption can be achieved more seamlessly, as varioussoftware applications (such as text editing software) can invoke theencryption/decryption functionality of this disclosure similar to thefunctionality of OS 152.

In an embodiment, RAM 144 also stores a complete key 155 generated basedon components 102 and 106. Complete key 155 can be purged from RAM 144once the user shuts down computing device 126, logs off, or issues anexplicit command. In this manner, data protection module 130 can usecomplete key 155 to encrypt and decrypt files while the current usersession is active.

In general, peripheral device interface 140 can support any wired orwireless short-range communication link via which personal computingdevice 126 can communicate with a peripheral storage device. Some of theexamples of a suitable interface include a serial RS232 connection, USB,IEEE 802.15 (Bluetooth®), IEEE 802.11n (WiFi Direct™), etc.

In referring to FIG. 3B, it is a block diagram of an example softwaremodule that can be implemented in the user device of FIG. 3A to encryptand decrypt data using two component keys 102 and 106. Data protectionmodule 130, in this embodiment will include a key management module 156,a peripheral storage device authentication module 157, andencryption/decryption engine 158. Encryption/decryption engine 158 inthis embodiment comprises AES; however, it may comprise any comparableor higher level known standard encryption/decryption software may beused. With both components 102, 106 of the key provided in thisembodiment one component 102 or Key 1 is the component of the key thatwas randomly generated by the online security service at the time theuser registered with the online security service wherein one component102 was stored on USB flash drive. One component 102 of the key isstored onto USB flash drive plugged into the USB port of computingdevice 126 during the registration process. The other component 106 ofthe key or Key 2 is provided by the user as a password inputted intocomputing device, such as through use of a keyboard of computing device126. This password was created at the time of registration with theonline security service as well. With both Key 1 and Key 2 102, 106provided to key management module 156 the complete key is assembled andis provided as an operative parameter to encryption/decryption engine158. With complete key 155 present with encryption/decryption engine158, a user can select a file or save a file 162 and the file will beencoded 164. Similarly, with a fully assembled key 155 and theencryption/decryption engine 158 in the presence of an encrypted file164, encrypted file 164 can be properly decrypted.

Authentication module 157 can receive Key 1 and Key 2, assemble acomplete key, verify that the assembled key is correct using thetechniques discussed in more detail below, and store the complete key inRAM 144 if the complete key is correct.

Although data protection module 130 in the illustrated embodiments isdownloaded from data protection server 122, in general a user can obtaindata protection module 130 from any suitable source via any suitablecarrier of computer software (e.g., CD, DVD, flash drive). In oneexample embodiment, the user can download data protection module 130from a server associated with an online application (“app”) store. Thisserver can operate independently and separately from server 122. Dataprotection module 130 can be platform-specific, so that the online appstore can provide one version for a computing device that executesWindows®, another version that executes Mac OS®, etc. In anotherembodiment, the user installs data protection module 130 from a compactdisc (CD).

Further, the security system of this disclosure need not provide allcomponents that make data protection module 130 in all embodiments.Thus, encryption/decryption engine 158 can be provided as a service ofan operating system of the computing device. Key management module 156in these cases can interface with this service using an appropriateapplication programming interface (API) exposed by the operating system.

In one example embodiment, key management module 156 generates acomplete key by simply appending Key 2 to the end of Key 1. Thus, if Key1 is an user-selected alphanumeric string and Key 2 is a sequence ofhexadecimal values, key management module 156 can assemble the completekey by appending the sequence of hexadecimal values defining Key 2 tothe sequence of hexadecimal values corresponding to Key 1. Moregenerally, Key 1 and Key 2 can be combined in any suitable manner, suchas by interleaving the sequences of values defining Key 1 and Key 2,respectively.

In referring to FIG. 4A is a block diagram of an example data protectionserver 122 that can operate in the computing system of FIG. 2. Asmentioned earlier data protection server 122 may comprise one or moreservers. Server 122 will comprise one or more processor (s) 166, networkinterface 168 and RAM 170 much like computing device 126 describedearlier. RAM 170 will store, in this example, two software modulespassword management system 128 and data protection module 130. Processor166 will be used to execute module 128 and operate network interface 168permitting server 122 to communicate with network 124.

In referring to FIG. 4B is a block diagram of an example software systemthat can be implemented in the server of FIG. 4A to manage keys andprovide other functions related to encryption and decryption techniquesof this disclosure. The user of the security service, as describedearlier, must first register with the online security service. The usercommunicates with server 122 using computing device 126 wherein, in thisexample, both are connected to the internet network 124. As mentionedearlier, user contacts server 122 which along with password managementsystem 128 supports a web page for the security providing system 120. Byway of user input 172 and network interface 168 user is in communicationwith password management system 128.

In the first instance of communicating with the web page provided, thenew user registers with online security service by way of new userregistration module 174 of password management system 128. The new userwill be asked to select from different packages offered by the onlinesecurity service as discussed earlier. The user will provide input 172selecting the package the user desires to obtain. The new user will beprovided questions to answer from a web page provided such as in thisembodiment, the name of the new user, their address, their e-mailaddress and banking information such as a credit card of the new user.The new user will be asked by new user registration module 174, in thisembodiment, to execute a payment to the online security service for thepackage they had selected. At that point, with a satisfactory paymentreceived by the online security service, module 174 will provide newuser queries for creating a user name and a password for entering thesystem. With user name and password completed, module 174 assigns a useridentification (UID) number along with the selection of the package andall information at this point collected from the user and forwards theUID and data collected to customer data & password database interface176 and it is all then forwarded to database 132 and is stored ascustomer subscription data 134.

The new user will receive further queries by way of a web page in thisembodiment from new device registration module 178. The web page willask the new user to register the device(s) that are under the package orplan the user chose. In this embodiment the user will be asked toprovide some information about the computing device such as the make,model and serial number of computing device 126 that will protectedunder this security service. This information will be sent to customerdatabase interface 176 and forwarded to database 132 and stored ascustomer subscription data 134. In this embodiment this data is sentalong with the UID and is stored in association with the previous datastored with the same UID. A new customer account has been created.

With the user registered, key generation module 180 of passwordmanagement system 128 randomly generates one component 102 of the key.This one component 102 is transmitted to the customer data interface 176and to database 132 and stored under the UID of the new customer ascustomer subscription data 134. In this embodiment key generation module180 through a web page will inform the user the encryption/decryptionsoftware will be downloaded onto computing device 126 and will commencedownloading an instance of the data protection module 130. With thedownloading of the encryption/decryption software commenced, system 128informs user though a web page to connect peripheral storage device 104to computing device 126. In this example USB flash drive is plugged intoUSB port of computing device 126. Key generation module 180 sends onecomponent key 102 to computing device 126 wherein the one component 102is stored on peripheral storage device 104 and at the same time, in thisembodiment, key generation module 180 transmits the one component 102 ofthe key to data base 132 to be stored as encryption key information 135associated with the UID number of this particular user. In someembodiments, data protection module 130, once downloaded and installedon personal computing device 126, automatically attempts to locate aperipheral storage device, communicates with system 128 to obtain a key,and otherwise set up subsequent encryption and decryption on personalcomputing device 126.

While the data protection module 130 is being downloaded onto the memoryof computing device 126, in this embodiment, password change/recoverymodule 182 will send a web page to computing device 126 requesting thesubscriber to create the other component 106 of the key or a passwordfor the operation of the security system. This password 106 will betransmitted by the computing device 126 of the user to server 122wherein password module 182 transmits this other component 106 of thekey to customer interface 176 and to database 132 and enters it intocustomer subscription data 134 associated with the UID number of thatparticular user.

At this point, database 132 has stored both components 102 and 106 ofthe key. Password module 182 assembles components 102 and 106 of the keyand in conjunction with the encryption/decryption software of dataprotection module 150 encrypts a file it has randomly generated. In thisembodiment it is a text file, however, it can be any file that issubject to be being encrypted and decrypted by the encryption/decryptionsoftware. Password module 182 transmits the unencrypted file tocomputing device 126 to be stored on peripheral storage device ascontrol output file 116. Password module 182 also transmits to computingdevice 126 the corresponding encrypted file to computing device 126 tobe stored as control input file 114.

Password management system 128 also will allow a user to enter the website of the online security service that is supported by server 122 andthrough a web page provided by password change/recovery module 182request a recovery or retrieval of their password or other component 106of the key that is stored in customer subscription data 134. This mayoccur upon the user forgetting the password 106 or password 106 has beencompromised. As discussed earlier, once the user has logged into the website of the online security service and has requested such a retrieval,the web page will exercise a security step prior to carrying out therequest. The web page will ask at least one question that user hadprovided the answer to at the time of registration. This information istypically very private in nature as it relates to the user. With a matchanswer received by module 182, password change/recovery module 182 willproceed to retrieve the password 106 stored in customer subscriptiondata 134 and transmit the same to computing device 126 to the user.

This same security procedure will be used for the user to be able tochange their password or other component 106 of the key. The procedurefor changing the password will require, in this embodiment, the user toforward from computing device 126 two copies of the new password 106 foraccuracy verification. The new password 106 will be stored as customersubscription data 134 in database 132. In addition, this new othercomponent or password 106 will now have to be used to construct a newkey. The user will be asked to connect their peripheral storage device104, password change/recovery module 182 will take the new password 106and combine it with the one component 102 of the key to assemble a newcomplete key. This new key will be used to encrypt another file, in thisinstance a text file and forward it to computing device 126 for it to bestored on peripheral storage device 104 as control input file 114 and anunencrypted version of that file will be sent to computing device 126 tobe stored as control output file 116. As a note, the old complete keycould be assembled by module 182 and provide user with the correspondingcontrol input file 114 and control output file 116 in order for user toaccess their stored encrypted files and decrypt them. At that point, theuser can utilize the new complete key with the new control input file114 and control output file 116 and begin encrypting and decryptingfiles with the new complete key.

To make this procedure appear seamless for the user, password managementsystem 128 automatically re-encrypts, using the new key, those filesthat were encrypted using the old key. It is noted, however, that thisprocedure may consume a noticeable amount of time.

As mentioned above, key generation module 180 would randomly generateone component 102 of the key for the user at the time of registration.This one component 102 was stored as customer subscription data 134 indatabase 132 and was stored on the user's peripheral storage device 104as well. Thus, at a time, for example, the user loses their peripheralstorage device 104 or it is broken or stolen the user will not be ableto encrypt or decrypt data on their computing device 126 without thisone component 102 of the key that was stored on the peripheral storagedevice 104. As a result the user will contact the online securityservice's web page, log in and request a retrieval of the one component102 of the key. The user will be security cleared as mentioned abovewith respect to retrieval or change of the other component 106 of thekey or password. Key retrieval module 184 will retrieve one component102 of the key from customer subscription data 134 on database 132. Theuser will be asked to connect their peripheral storage device 104 totheir computing device 126 and module 184 will transmit one component102 of the key to computing device 126 to be stored on peripheralstorage device 104. If at that time, it was a new peripheral storagedevice, user would be asked for receiving control input file 114 thatwas encrypted by module 184 and for the corresponding unencrypted filecontrol output file 116. Should the user need files 114 and 116 theywould also be forwarded by module 184 to computing device 126 to bestored on peripheral storage device 104. The user would be provided theneeded authentication software to authenticate the peripheral storagedevice 104 as would be transmitted to the computing device 126 by module184 and stored on peripheral storage device 104. With respect tocreating a new one component 102, a new key would need to be assembledand creating new control input 114 and control output 116 files wouldneed to be generated and stored on peripheral storage device 104. Also,the user may need to have the previous one component 102 of the key andthe corresponding control input 114 and control output 116 files createdin order for the user to operate to decrypt encrypted files under theearlier regimen of a different complete key with its correspondingdifferent authentication set up.

As a result, the online security service can provide various neededservices through a web page supported by server 122. The user can accessthe web page with its computing device 126 through the internet network124. In this way the user may change passwords 106, retrieve passwords106, retrieve one component 102 of the key, obtain control input file114, control output file 116 and the needed software to carry outauthentication of the peripheral storage device 104.

In referring to FIG. 5, it is a flow diagram of an example method forcreating a pair of keys and generating authentication information for aremovable storage device 104, which can be implemented in the usercomputing device 126 of FIG. 3A. With computing device 126 connected todata protection server 122 through internet network 124 connection, inthis embodiment, and the account opened by the user as described above,step 186 commences with data protection module 130 being downloadedand/or installed onto computing device 126. Data protection module 130can include key management module 156 and/or encryption/decryptionengine 158. In step 188, the web site of the online security servicewhich is supported by server 122 will prompt user to insert peripheralstorage device 104 into their computing device 126. Key generationmodule 180 will randomly generate one component 102 of the key or firstkey in step 190. The web site of the online security service will notifyuser to create a second key or other component 106 (step 192) andforward the same from computing device 126 to be received by server 122through network interface 168. In this embodiment, password managementsystem 128 through password change/recovery module 182 will assemble acomplete or main key from one component 102 and other component 106 ofthe key in step 194. Password management system 128 will generateauthentication data with using the complete or main key in conjunctionwith encryption/decryption software of data protection module 130 andencrypts a file it randomly generated. This file is an encryptable anddecryptable file with respect to the encryption/decryption software. Inthis embodiment the file is a text file and it is encrypted, whilemaintaining an unencrypted version of the file as well for step 196. Theencrypted version of the file is forwarded to computing device 126 andstored on the peripheral storage device 104 as control input file 114and the unencrypted version of that file is forwarded to computingdevice 126 and stored on peripheral device 104 as control output file116 in step 198.

In referring to FIG. 6, it is a flow diagram of an example method forencrypting data using one component 102 of a key stored on a removablestorage device 104 and another component 106 of the key submitted by auser which can be implemented in the user computing device 126 of FIG.3A. In the illustrated embodiment, user login can be detected at block200. This event can trigger the creation of a new session during whichdata is seamlessly encrypted and/or decrypted. More generally, a sessioncan begin in response to any one of suitable events such as connectionto a peripheral storage device or a user command, for example.

The encryption/decryption software can commence the process ofassembling the encryption key by obtaining one component 102 of a keyfor encrypting from a peripheral storage device 104 as step 202. In thisembodiment one component 102 of the key was stored on the peripheralstorage device 104 by the online security service randomly generating itat the time of registration. The user then needs to provide anothercomponent 106 of the key (which the user had created at the time ofregistration by the user) to the encryption/decryption software inputting it into computing device 126 through a user interface such as akeyboard as step 204. The next step 206 is for the key to be assembledon computing device 126 with using one component 102 and anothercomponent 106.

With the complete key assembled and encryption/decryption softwarestored on the computing device 126, at the time of registration, anencryption/decryption session begins in step 208. In particular, theassembled key may be stored in volatile memory for the duration of thesession. During the session, one or several files that requireencryption or decryption are captured in step 210. These files areencrypted or decrypted in step 212 using the key assembled for thesession. If an event indicating that the session completed is detectedin step 214, the flow returns to block 210 (where additional file(s) maybe captured). Otherwise, the flow proceeds to step 216, where the key isremoved from the volatile memory.

FIG. 7 shows a flow diagram of an example method for generatingauthentication information for a removable storage device 104, which canbe implemented to authenticate peripheral storage device 104 of FIG. 2.Password management system 128, stored on server 122 will generate arandom file, one that can be encrypted and decrypted by theencryption/decryption engine 158 of data protection module 130 used inconjunction with one component 102 and another component 106 of the keyassembled into a complete key. In this embodiment, password managementsystem 128 will generate this random file as a text file in step 220.With the fully assembled key comprised of one component 102 and anothercomponent 106, both retrieved from customer subscription data 134 fromdatabase 132, module 182 with the complete key and encryption/decryptionsoftware from data protection module 130 will encrypt the text file instep 222. The encrypted text file is transmitted to computing device 126and stored in peripheral storage device 104 as control input file 114,the corresponding unencrypted randomly generated file is transmitted tocomputing device 126 and stored on peripheral storage device 104 ascontrol output 116 and one component 102 of the key is also transmittedto computing device 126 and stored on peripheral storage device 104 asstep 224. This data stored on peripheral storage device 104 will be usedas discussed earlier to carry out the authentication function of theperipheral storage device 104.

In referring to FIG. 8, it is a flow diagram of an example method forauthenticating a removable storage device 104 storing a key. The methodin this embodiment includes a user in operation of their computingdevice 126 wishing to either encrypt/decrypt data on their computingdevice 126. User will request the encryption/decryption of the datawhich will use one component 102 of the key which is stored onperipheral storage device 104 as step 226. The user will be prompted toprovide the other component 106 of the key in step 228 which asdiscussed earlier would be a password in this embodiment. At whichpoint, user can enter other component 106 by way of user interface orkeyboard of computing device 126, in step 230 in this example. With onecomponent 102 and other component 106 of the key, the main or completekey is assembled in step 232.

With the main key assembled and the encryption/decryption engine 158present from data protection module 130, a randomly generated file bypassword change module 182 as discussed above, in this embodiment, therandomly generated file is generated by module 182 and encrypted. Theencrypted version is stored on the peripheral storage device 104 ascontrol input 114 as step 234, the corresponding unencrypted version ofthe file is stored on the peripheral storage device 104 as controloutput 116 and the one component 102 of the key is also stored onperipheral storage device 104.

With the encrypted version of the file or control input file 114 in step236 is decrypted by the complete or main key comprising components 102and 106 in conjunction with encryption/decryption engine 158 and the nowdecrypted input control file 114 is compared to correspondingunencrypted file 116 in step 236. If there is a match, “yes”, peripheralstorage device 104 is authenticated at step 238. This means the main keywas properly assembled and used with the encryption/decryption engine158 and user can proceed to encrypt and decrypt files on their computingdevice 126. The main key is stored in RAM (or other type of volatilememory) in step 242 for the duration of the session. However, if therewas not a match between the decrypted control input file 114 and thecontrol output file 116, “no”, the peripheral storage device fails toauthenticate in step 240 meaning one or both of the components 102 and106 of the key were wrong thereby indicating the storage device 104 isnot the correct device carrying the correct one component 102 of the keyor the other component 106 of the key was not correct. In eitherinstance, the user will not be able to successfully proceed to encryptand decrypt files on the computing device 126. Accordingly, in step 244,the session is prevented from being activated, so that previouslyencrypted files cannot be decrypted and, conversely, new files cannot beencrypted using the techniques of this disclosure.

Throughout this specification, plural instances may implementcomponents, operations, or structures described as a single instance.Although individual operations of one or more methods are illustratedand described as separate operations, one or more of the individualoperations may be performed concurrently, and nothing requires that theoperations be performed in the order illustrated. Structures andfunctionality presented as separate components in example configurationsmay be implemented as a combined structure or component. Similarly,structures and functionality presented as a single component may beimplemented as separate components. These and other variations,modifications, additions, and improvements fall within the scope of thesubject matter of the present disclosure.

Additionally, certain embodiments are described herein as includinglogic or a number of components or modules. Modules may constituteeither software modules (e.g., code stored on a non-transitorymachine-readable medium) or hardware modules. A hardware module istangible unit capable of performing certain operations and may beconfigured or arranged in a certain manner. A hardware module maycomprise dedicated circuitry or logic that is permanently configured(e.g., as a special-purpose processor, such as a field programmable gatearray (FPGA) or an application-specific integrated circuit (ASIC)) toperform certain operations. A hardware module may also compriseprogrammable logic or circuitry (e.g., as encompassed within ageneral-purpose processor or other programmable processor) that istemporarily configured by software to perform certain operations. Itwill be appreciated that the decision to implement a hardware module indedicated and permanently configured circuitry or in temporarilyconfigured circuitry (e.g., configured by software) may be driven bycost and time considerations.

Accordingly, the term hardware should be understood to encompass atangible entity, be that an entity that is physically constructed,permanently configured (e.g., hardwired), or temporarily configured(e.g., programmed) to operate in a certain manner or to perform certainoperations described herein. Considering embodiments in which hardwaremodules are temporarily configured (e.g., programmed), each of thehardware modules need not be configured or instantiated at any oneinstance in time. For example, where the hardware modules comprise ageneral-purpose processor configured using software, the general-purposeprocessor may be configured as respective different hardware modules atdifferent times. Software may accordingly configure a processor, forexample, to constitute a particular hardware module at one instance oftime and to constitute a different hardware module at a differentinstance of time.

Hardware and software modules can provide information to, and receiveinformation from, other hardware and/or software modules. Accordingly,the described hardware modules may be regarded as being communicativelycoupled. Where multiple of such hardware or software modules existcontemporaneously, communications may be achieved through signaltransmission (e.g., over appropriate circuits and buses) that connectthe hardware or software modules. In embodiments in which multiplehardware modules or software are configured or instantiated at differenttimes, communications between such hardware or software modules may beachieved, for example, through the storage and retrieval of informationin memory structures to which the multiple hardware or software moduleshave access. For example, one hardware or software module may perform anoperation and store the output of that operation in a memory device towhich it is communicatively coupled. A further hardware or softwaremodule may then, at a later time, access the memory device to retrieveand process the stored output. Hardware and software modules may alsoinitiate communications with input or output devices, and can operate ona resource (e.g., a collection of information).

The performance of certain operations may be distributed among the oneor more processors, not only residing within a single machine, butdeployed across a number of machines. In some example embodiments, theprocessor or processors may be located in a single location (e.g.,within a home environment, an office environment or as a server farm),while in other embodiments the processors may be distributed across anumber of locations.

Some portions of this specification are presented in terms of algorithmsor symbolic representations of operations on data stored as bits orbinary digital signals within a machine memory (e.g., a computermemory). These algorithms or symbolic representations are examples oftechniques used by those of ordinary skill in the data processing artsto convey the substance of their work to others skilled in the art. Asused herein, an “algorithm” or a “routine” is a self-consistent sequenceof operations or similar processing leading to a desired result. In thiscontext, algorithms, routines and operations involve physicalmanipulation of physical quantities. Typically, but not necessarily,such quantities may take the form of electrical, magnetic, or opticalsignals capable of being stored, accessed, transferred, combined,compared, or otherwise manipulated by a machine. It is convenient attimes, principally for reasons of common usage, to refer to such signalsusing words such as “data,” “content,” “bits,” “values,” “elements,”“symbols,” “characters,” “terms,” “numbers,” “numerals,” or the like.These words, however, are merely convenient labels and are to beassociated with appropriate physical quantities.

Unless specifically stated otherwise, discussions herein using wordssuch as “processing,” “computing,” “calculating,” “determining,”“presenting,” “displaying,” or the like may refer to actions orprocesses of a machine (e.g., a computer) that manipulates or transformsdata represented as physical (e.g., electronic, magnetic, or optical)quantities within one or more memories (e.g., volatile memory,non-volatile memory, or a combination thereof), registers, or othermachine components that receive, store, transmit, or displayinformation.

As used herein any reference to “one embodiment” or “an embodiment”means that a particular element, feature, structure, or characteristicdescribed in connection with the embodiment is included in at least oneembodiment. The appearances of the phrase “in one embodiment” in variousplaces in the specification are not necessarily all referring to thesame embodiment.

Some embodiments may be described using the expression “coupled” and“connected” along with their derivatives. For example, some embodimentsmay be described using the term “coupled” to indicate that two or moreelements are in direct physical or electrical contact. The term“coupled,” however, may also mean that two or more elements are not indirect contact with each other, but yet still co-operate or interactwith each other. The embodiments are not limited in this context.

As used herein, the terms “comprises,” “comprising,” “includes,”“including,” “has,” “having” or any other variation thereof, areintended to cover a non-exclusive inclusion. For example, a process,method, article, or apparatus that comprises a list of elements is notnecessarily limited to only those elements but may include otherelements not expressly listed or inherent to such process, method,article, or apparatus. Further, unless expressly stated to the contrary,“or” refers to an inclusive or and not to an exclusive or. For example,a condition A or B is satisfied by any one of the following: A is true(or present) and B is false (or not present), A is false (or notpresent) and B is true (or present), and both A and B are true (orpresent).

In addition, use of the “a” or “an” are employed to describe elementsand components of the embodiments herein. This is done merely forconvenience and to give a general sense of the description. Thisdescription should be read to include one or at least one and thesingular also includes the plural unless it is obvious that it is meantotherwise.

While particular embodiments of the present invention have been shownand described, it will be obvious to those skilled in the relevant artsthat changes and modifications may be made without departing from theinvention in its broader aspects. Therefore, the aim in the appendedclaims is to cover all such changes and modifications that fall withinthe true spirit and scope of the invention. The matter set forth in theforegoing description and accompanying drawings is offered by way ofillustration only and not as a limitation. The actual scope of theinvention is intended to be defined in the following claims when viewedin their proper perspective based on the prior art.

What is claimed is:
 1. A method for generating cryptographic keys forencrypting and decrypting data, the method comprising: receiving, by oneor more processors, a first component of a cryptographic key from a uservia a user interface of a user computing device; receiving, by the oneor more processors, a second component of the cryptographic key via ashort-range communication interface that communicatively couples theuser computing device to a physically separate storage device;generating, by the one or more processors, the cryptographic key basedat least on the first component and the second component; and using thecryptographic key to encrypt and/or decrypt data, by the one or moreprocessors.
 2. The method of claim 1, wherein using the cryptographickey to encrypt and/or decrypt the data includes: storing the generatedcryptographic key in a volatile memory of the user computing deviceduring an active session, automatically encrypting and/or decryptingdata accessed by the user during the active session, by the one or moreprocessors, and deleting the cryptographic key from the volatile memorywhen the active session completes.
 3. The method of claim 2, furthercomprising: verifying the cryptographic key using control data stored onthe storage device, wherein the generated cryptographic key is stored inthe volatile memory only in response to the cryptographic key havingbeen successfully verified.
 4. The method of claim 3, wherein thecontrol data includes first control data and second control data, andwherein verifying the cryptographic key includes: retrieving the firstcontrol data from the storage device, applying the cryptographic key tothe first control data to generate an encryption/decryption result, andcomparing the encryption/decryption result to the second control data,wherein the cryptographic key is successfully verified when theencryption/decryption result matches the second control data.
 5. Themethod of claim 2, further comprising completing the active session inresponse to detecting that the storage device has been removed.
 6. Themethod of claim 2, further comprising completing the active session inresponse to detecting that the user logged off.
 7. The method of claim1, wherein using the cryptographic key to encrypt and/or decrypt thedata includes automatically applying, by the one or more processors, thecryptographic key to files stored in a persistent memory of the usercomputing device, which the user accesses during an active session,without prompting the user.
 8. The method of claim 7, wherein applyingthe cryptographic key to the files stored in a persistent memory of theuser computing device including executing a task in a kernel mode on theuser computing device.
 9. The method of claim 1, further comprising,prior to receiving the second component via the short-rangecommunication interface: receiving, by the one or more processors, thesecond component of the cryptographic key via a long-range communicationinterface from a network server; causing, by the one or more processors,the second component of the cryptographic key to be stored in thestorage device.
 10. The method of claim 8, further comprising:providing, by the one or more processors, an interactive menu forreceiving registration data from a user; and sending the registrationdata to the network server via the long-range communication interface,wherein the second component of the cryptographic key is received fromthe network server in response to the registration data.
 11. The methodof claim 1, wherein the user computing device has a port to removeablycouple the user computing device to a peripheral storage device, whereinthe second component of the cryptographic key is received via the portfrom the peripheral storage device.
 12. The method of claim 1, whereingenerating the cryptographic key includes appending, by the one or moreprocessors, one of the first and the second component of thecryptographic key to the other one of the first and the second componentof the cryptographic key.
 13. A network server comprising: acommunication interface to communicatively couple the network server toa user computing device via a communication network; and processinghardware configured to: receive a request for a cryptographic key fromthe user computing device, wherein the request includes a firstcomponent of the cryptographic key, the first component having beenspecified by a user of the user computing device, in response to therequest, automatically generate a second component of the cryptographickey, and provide the second component of the cryptographic key to theuser device for storage on a storage device physically separate from theuser computing device, wherein the user computing device is configuredto (i) generate the cryptographic key based at least on the firstcomponent and the second component of the cryptographic key and (ii)encrypt and/or decrypt user-selected data using the cryptographic key.14. The network server of claim 13, further comprising: acomputer-readable storage in which a database is implemented; whereinthe processing hardware is further configured to: receive registrationdata for the user from the user computing device, and store theregistration data, the first component of the cryptographic key, and thesecond component of the cryptographic key in the database.
 15. Thenetwork server of claim 14, wherein the processing hardware is furtherconfigured to reset the cryptographic key in response to a user request,including generate a new second component of the cryptographic key. 16.The network server of claim 13, wherein the processing hardware isfurther configured to: generate the cryptographic key based on the firstcomponent and the second component, generate first control data, applythe cryptographic key to the first control data to generate secondcontrol data, and provide the first control data and the second controldata to the user device for storage on the storage device, wherein theuser computing device is configured to verify user input of the firstcomponent of the cryptographic key using the first control data, thesecond control data, and the second component of the cryptographic key.17. The network server of claim 16, wherein the processing hardware isconfigured to generate the first control data randomly.
 18. A method ina user computing device for efficiently encrypting and/or decryptingdata, the method comprising: receiving, by one or more processors, anindication that a storage device physically separate from the usercomputing device is now communicatively coupled to the user computingdevice via a short-range communication interface; receiving, by the oneor more processors, a first component of a cryptographic key from a uservia a user interface; retrieving, from the storage device, (i) a secondcomponent of the cryptographic key, (ii) first control data, and (iii)second control data corresponding to the first control data encryptedusing a correct version of the cryptographic key; generating thecryptographic key based at least on the first component and the secondcomponent; and determining whether the generated cryptographic key iscorrect using the first control data and the second control data. 19.The method of claim 18, further comprising: receiving, by the one ormore processors, the second component of the cryptographic key, thefirst control data, and second control data from a network server via acommunication network; and storing the second component of thecryptographic key, the first control data, and second control data inthe storage device.
 20. The method of claim 19, wherein receiving thesecond component of the cryptographic key, the first control data, andsecond control data from the network server includes is in response to auser requesting that a new cryptographic key be generated.